Daily Fantasy Sports Sites’ Emerging Identity Management & Verification Challenges

Merritt Maxim

Recent business and sports headlines in the US have been dominated by state and federal government efforts to assess whether daily fantasy sports (DFS) sites, such as FanDuel and DraftKings, should be treated and regulated like gambling. The New York State Attorney General recently issued cease-and-desist letters against DraftKings and FanDuel to stop accepting bets in the state, stating that DFS operations are illegal gambling.  

Last week, Massachusetts Attorney General Maura Healey announced a plan to allow DFS providers to operate in Massachusetts under certain provisions, such as:

·         Prohibiting anyone under 21 participating in DFS.

·         Prohibiting professional athletes and other employees of pro teams from participating in DFS.

·         Prohibiting employees of DFS providers from participating in games

·         Requiring DFS providers to identify ‘‘highly experienced’’ players on all contest platforms and offer ‘‘beginner’’ games that would be off limits to the more experienced players.

These provisions present a range of identity management and identity verification challenges and questions, such as:

·         How will sites verify the ages of online participants?

·         How will systems detect DFS employees?

Read more

Two-Factor Authentication (2FA) Companies Continue to be Attractive Acquisition Targets

Merritt Maxim

Last week, Courion announced its acquisition of Nova Scotia-based SecureReset, which, through its QuickFactor product, provides mobile-based two-factor authentication (2FA). This is the fourth acquisition of a 2FA startup by an enterprise software vendor in 2015:

·         Twilio acquired Authy, February 2015 (purchase price N/A).

·         Salesforce acquired Toopher, April 2015 (purchase price N/A).

·         Micro Focus acquired Authasas, July 2015 (purchase price N/A).

·         Courion acquired SecureReset, November 2015 (purchase price N/A).

These acquisitions reflect ongoing enterprise demand for 2FA solutions as an alternative to passwords. By now, the problems with passwords are well-known: They are easy for hackers to steal in bulk, and ongoing advances in computing processing power have eroded password security.

Since a password-free world is still somewhere off in the future, two-factor authentication provides a compelling password alternative that can help mitigate security risks. The evolution toward software-based 2FA form factors running on smartphones instead of dedicated single-purpose hardware tokens has eased deployment and training costs; it has also enabled large-scale consumer deployments of two-factor authentication as a password replacement alternative. These 2015 acquisitions demonstrate the continued interest in two-factor authentication.

Read more

Forrester’s Security & Risk Spotlight – Kelley Mak

Stephanie Balaouras

Thanks for tuning in to this week’s analyst spotlight podcast with researcher Kelley Mak! Kelley’s research concentrates on threat and vulnerability management, web content security, email security and overall trends in security architecture and operations. Kelley is currently working side by side with Read more

Forrester Predictions: What’s In Store For Privacy In 2016?

Heidi Shey

When evaluating the top 10 critical success factors that will determine who wins and loses in the Age of the Customer in 2016, it comes as no surprise that privacy is one of them. In fact, privacy considerations and strategy augments all of the 10 critical factors to drive business success in the next 12 months.


So, what does this mean for businesses moving forward?


Read more

Blue Coat Systems Buy Elastica after Perspecsys

Andras Cser

As we predicted in our Brief: The Emergence of the Cloud Security Gateway, this market is consolidating fast. Blue Coat Systems announced this morning that they are acquiring Elastica. Forrester estimates that the acquisition price was between USD $280M-300M, while Blue Coat Systems has already spent an estimated $180-200M on Perspecsys. Here's how Forrester expects Blue Coat Systems will assemble their Cloud Security Gateway solution:

* Elastica intellectual property (IP): will be used for a) behavioral profiling, b) predictive analytics and c) anomaly detection in access to cloud applications.

* Perspecsys IP: will be used for a) cloud encryption and b) key management.

Blue Coat Systems has a herculean task on their hands: they have to successfully manage

1) Understanding existing Elastica and Perspecsys product portolios

2) Integrating Elastica and Perspecsys product portfolios into one single CSG offering

3) Integrating the resulting CSG solution with existing Blue Coat Systems solutions,

4) while managing the natural differecens,  post-acquisition attrition of key management and engineering resources from both acquired companies. 

Forrester expects that Blue Coat Systems will be able to the above in 9-12 months successfully.

Starting soon: Threat Intelligence Platforms research

Rick Holland

In my last threat intelligence blog I discussed my new research on threat intelligence providers. I included a graphic which carved four functional threat intelligence areas: 1) Providers 2) Platforms 3) Enrichment 4) Integration. In December, I will start the next piece of research in the series focusing on Threat Intelligence Platforms (TIPs). This will likely be two reports one focusing on people, process and use cases and the other focusing on the vendor landscape. My presentation at the 2016 SANS Cyber Threat Intelligence Summit will include some perspective on the state of threat intelligence platforms.  

I will be looking into the following functional areas. I'm also going to look beyond TIPs to see how traditional analytics platforms like SIEMs are including these capabilities.  I also will look into how SIEMs and TIPs should function in the same environment. I will also address the "roll your own platform" phenomenon that is common in technology firms and large financial institutions. Depending on the size and maturity an organization, multiple solutions could be involved in addressing the use cases, I will also break that functionality out. 

  1. Ingestion 
  2. Enrichment 
  3. Analysis (Important: How does TIP improve tradecraft?)
  4. Exploration 
  5. Integration 
  6. Collaboration
  7. Sharing 
Read more

Maximizing Your Investment In Cyberthreat Intelligence Providers

Rick Holland

I just published my latest research on threat intelligence: Vendor Landscape: S&R Pros Turn To Cyberthreat Intelligence Providers For Help. This report builds upon The State Of The Cyberthreat Intelligence Market research from June. In the new research, I divide the threat intelligence space into four functional areas: 1) Providers 2) Platforms 3) Enrichment 4) Integration. This research is designed to help readers navigate the crowded threat intelligence provider landscape and maximize limited investment resources. In this report, we looked at 20 vendors providing a range of tactical, operational, and strategic threat intelligence.

When developing threat intelligence capabilities, one of the most important requirements is to collect and develop your own internal intelligence. Nothing will be as relevant to you as intelligence gathered from your own environment, your own intrusions. Before you invest six figures (or more) in 3rd party threat intelligence, make sure you are investing in your internal capabilities. Relevancy is one of the most important characteristics of actionable intelligence; check out "Actionable Intelligence, Meet Terry Tate, Office Linebacker" for more details on the traits of actionable intelligence.

In the report, I use the traditional intelligence cycle as a framework to evaluate threat intelligence providers. The intelligence cycle consists of five phases:

Read more

Forrester’s Security & Risk Research Spotlight: Stuck Between A Hack & Frustrated Customers

Stephanie Balaouras

Are passwords a dying breed? With every other organization getting hacked, many S&R pros would argue that if passwords aren’t dead yet, they should be. Yet many companies such as LogMeIn and LastPass continue to make strategic acquisitions, proving that interest in password management solutions remain high among enterprises and consumers (check out their press release, here.) It’s hard to have any confidence in a method that appears to be ineffective, frustrating, and highly outdated. Many companies are attempting to gain back consumer trust by offering voice biometrics, multi-step authentication methods, or other authentication alternatives to supplement or replace their existing policies.

Unfortunately, fraudsters are getting smarter and customers don’t want to spend more than 30-seconds logging into their accounts. With the addition of the multiple banking accounts, online shopping IDs, and social media platforms that almost every consumer uses daily, the challenge for these companies to keep all online accounts secure while also providing the painless log-in that customers are demanding can quickly turn into a catch-22. What is easy and convenient for customers is also incredibly insecure, thus making them the perfect bait for cybercriminals.

Read more

Europe Leads In Global Privacy – Announcing Forrester's 2015 Data Privacy Heat Map

Christopher Sherman

Businesses are moving toward personalization, which means they’ll increasingly collect personal data to get a better idea of what their customers want and need. In the age of the customer, defined by Forrester as a 20-year business cycle when successful enterprises will reinvent themselves as digital businesses in order to serve their increasingly powerful customers, protecting customer data is a critical aspect of fostering trust and building long-lasting relationships.

Regardless of location, all countries should have this goal in mind, but privacy regulations vary from country to country and often conflict with each other. For global organizations, navigating these laws can be daunting. To help businesses tackle this challenge, Forrester published its 2015 Data Privacy Heat Map. Originally created in 2010, the tool leverages in-depth analyses of the data privacy-related laws and cultures of 54 countries around the world, helping security leaders and decision-makers better design their own approaches to privacy and data protection.

Read more

Fingerprint authentication enters online banking at Bank of America - and signals FIDO's first major adoption event

Andras Cser

Bank of America's website and press release says that you can use your TouchID on iOS to sign into BofA's mobile  application on iOS.

This move is a major milestone in FIDO's and fingerprint biometrics' adoption in the mainstream consumer authentication market. Forrester expects fingerprint authentication will greatly improve the customer experience - no more fumbling with hard-to-type passwords on small smartphone keyboards. It's important to note that matching the fingerprint to authenticate the user happens in the mobile application on the mobile device. As such it is not a true two factor, strong authentication where the match happens on the server side.